WIP: Design: Vulnerability occurrences and instances
Background
Today, we handle and display vulnerabilities in a 1:1 format, meaning every vulnerability we detect gets a record and a unique details page from which we ask users to triage. This approach inflates the number of vulnerabilities present in a project which can generate a lot of repetitious work to manage and track triage/remediation efforts.
The lack of a (unique vulnerability::vulnerability instance x) model leads to inefficiencies in the vulnerability management workflow which can frustrate users with 1000+ vulnerabilities in a project.
Looking further into this topic, we can take an example project with real vulnerabilities. Today (project to-be-named) has 3286 total vulnerabilities, of those there are 92 unique vulnerabilities. Meaning, of the 3286 there are only 92 vulnerabilities and 3286 instances of those vulnerabilities. This illustrates an opportunity for a grouping method that can make managing large sums of vulnerabilities much less burdensome on the user.
Problem Statement
How might we reduce the workload on security analysts while providing them with an experience tailored to managing large sums of vulnerabilities?
In cases such as where multiple vulnerabilities could have the same resolution (e.g. upgrade Rails) or same/similar vulnerability occurrences in different branches all map to the same vulnerability in the default branch, there is currently no way to avoid duplication as vulnerability occurrences -> vulnerabilities -> Issues are all 1:1 relationships. We need to uncover the key 1:many and many:1 relationships between these entities to make vulnerability management more efficient and flexible.
Intended users
JTBD
Primary
When I am managing vulnerabilities for my organization, I want to maintain a single source of truth with all the contextual information, actions and decisions for a particular vulnerability in one place, so I can easily stay informed and spend my time on proactive activities, not hunting down information from different areas.
Secondary
When I am managing vulnerabilities for my organization, I want to address all serious and time-sensitive threats first, so I can ensure my company is not at risk of an imminent attack or breach.
User experience goal
[ ]
Proposal
[ ]